Risk, threat and vulnerability: Clarity of terms helps strengthen data security in enterprises

Risk, threat and vulnerability: Clarity of terms helps strengthen data security in enterprises

Renato Mirabili Júnior, Information Security Consultant at Protiviti, emphasizes the importance of organizations knowing how to define terms such as: ‘risk, threat and vulnerability’ during decision-making in delicate situations related to data security. For him, this ensures more assertive management analysis, in order to promote effectiveness in the care of information.

Currently, one of the biggest concerns of large corporations is related to information security. According to the Future of Cybersecurity 2023 survey, conducted by consulting firm Deloitte, 91% of high-performing companies invest in cybersecurity. In addition, at least 66% of organizations review and update their plans annually.

And when we talk about issues related to cybersecurity, several terms are used, among which ‘risk’, ‘threat’ and ‘vulnerability’ stand out.

However, while the numbers are positive and these terms are common, it is important to understand the differentiation between them in order to make informed business decisions.

Being clear about the situation, whether it is a risk, a threat, or a vulnerability, is critical to ensuring the effectiveness of data security activities in organizations.

Thus, below is highlighted the definition of each of the terms, so that companies are well prepared to solve certain problems.


‘Risk’ can be defined as any event that may have a negative impact on the company’s business, i.e the organization’s inability to achieve business objectives.

This involves the potential for loss, damage, or even the destruction of an asset. In this way, ‘risk’ can be classified into several categories, such as uncontrollable, market, operational, legal and human, among others.

According to OWASP (Open Web Application Security Project), an online community that creates and makes available free articles, methodologies, documentation, tools and technologies in the field of web application security, we can calculate the severity of the ‘risk’ as follows: risk equals probability versus impact. This means that by knowing the data about the threat actor, as well as the impact on the business, we can get an overview of the severity of that risk.

And to better illustrate this definition, some examples of the most commonly observed risk in companies are business discontinuity; financial, privacy, trust and life losses; reputational damage; legal sanctions and damage to growth.


Characterized as a potential event or cause for an unwanted incident to occur, the ‘threat’ can negatively impact the system. In addition, the term is used when data is generated by a malicious actor, who searches for a vulnerability in the organization.

In this sense, the most common examples of ‘threat’ in companies are disgruntled and/or dishonest employees; criminals or cybercriminals; governments; terrorists or cyberterrorists; rival or competing companies; natural events and catastrophes.


‘Vulnerability’ can be defined as just a ‘weakness’ that is exploited by a threat, be it in a system, an internal control, or even a security procedure. These resources weaken the systems, leaving them susceptible to various illegitimate and/or illegal activities.

In this regard, vulnerabilities can cause the risks’ mentioned above, causing significant and, in some cases, irreversible losses.

In this context, among the most common episodes in the market are: bugs in software; inappropriate or inappropriate processes; ineffective controls; human failures and hardware and systems without updates.

In summary, it is critical to understand the differentiation between these terms as a first step for a company to be able to identify and manage vulnerabilities effectively. With this knowledge, it is possible to combat threats and, consequently, considerably reduces risks in organizations.

Click below to share this article

Browse our latest issue

LATAM English

View Magazine Archive